This week, one of the most used Popcorn Time forks had its domain name suspended. We later learned that the registrar took this decision based on a US court order. That's nothing out of the ordinary if it wasn't for the fact that the document was clearly falsified. The registrar eventually reversed its decision after questions were asked, but the trouble didn't stop there.

The grounds for the suspension initially remained unclear. However, after asking for clarification, 101domain explained to the site operator that it had received an injunction from a US court.

The injunction in question appeared to have been sent by the Motion Picture Association (MPA). It was signed by a federal judge at the US District Court for the District of Columbia and indeed targeted Popcorntime.sh.

Since the MPA had gone after various Popcorn Time forks in the past, this sounded somewhat plausible. However, the document clearly isn’t real.

At TorrentFreak, we received a copy of the same injunction two weeks ago. It was sent in by an anonymous tipster who urged us to report on it. While the story made some sense, on closer inspection we found that the injunction was obviously falsified.

For example, the court stamp and the signed date are from May 2019 while the document itself was filed in November 2019, according to the header. The case reference number also identifies a completely unrelated lawsuit and the paperwork shows several other signs of tampering.

Most telling, perhaps, is that the associated injunction is supposed to prevent “the immediate and irreparable harm will result to Microsoft.” Microsoft?

Some more digging showed that, while there is no such filing from the MPA, there is an almost identical order from last May in a case between Microsoft and several John Does who operated domains such as identity-verificationservice.info.

This case has nothing to do with Popcorn Time. Someone simply took the document and changed several details, making it look as if it came from the MPA targeting Popcorntime.sh.

Although this didn’t take much effort for us to uncover, the fabricated document was apparently sufficient to convince 101domain to suspend the domain. Popcorn Time shared a copy of the response it received from the registrar’s abuse team, which attached the falsified document.

We reached out to the registrar to verify this and also pointed out our suspicions but unfortunately, we didn’t hear back. Interestingly, a few hours later 101domain suddenly realized that the document was fabricated.

A Popcorn Time representative informs TorrentFreak that the domain suspension was lifted after 101domain confirmed with the US District Court that the injunction wasn’t legitimate.

While this is good news for Popcorn Time, it may never have happened if people had started asking questions sooner.

Perhaps surprisingly, 101domain was not the only registrar to fall for the falsified court document either. When Popcorn Time had its .sh domain suspended it switched to Popcorntime.app, a domain they registered through 1API.

It didn’t take long before that registrar received a similarly altered ‘injunction’ (pdf). The same Microsoft order was used as the basis again, but this time targeted the new domain Popcorntime.app.

In an email, which the Popcorn Time representative shared with TorrentFreak, 1API explained that Popcorn Time had 48 hours to respond, adding that the domain name may eventually be put on hold.

1API also revealed the request from the original complainant, which was sent from a protonmail.ch address, supposedly by a member of MPA’s legal team named ‘John Gibetstan’.

“Hello 1API, I am a representative of the MPA’s Legal Team. We have obtained an injunction to take control of a domain under your system. The domain in question would be popcorntime.app. You have 5 business days to take action on the injunction,” it reads.

Aside from the various flaws in the underlying document, this email doesn’t appear to be very professional. The MPA doesn’t use Protonmail addresses either, and there’s not even a John Gibetstan working there.

For now, the PopcornTime.app domain remains available but 1API’s 48-hour window hasn’t expired yet. We reached out to 1API requesting additional details and comment on the issue but, at the time of writing, we have yet to hear back.

All in all the whole episode shows that it’s surprisingly easy for malicious actors to fool some domain registrars, at least initially. Who the fake complainant is and why he or she wants Popcorn Time offline, remains a mystery.

Update: 1API informs us that it forwarded the notice as part of standard policy and that it wouldn’t take any further action without a legitimate (German naturalized) court order. In this case, no action will be taken.